Method for determining encryption algorithm of secret communication based on mobile country codes

ABSTRACT

The present invention discloses a method for determining encryption algorithm used in security communication based on Mobile Country Code (MCC) number. In this method, a Mobile Country Code (MCC) number list is preset in a Core Network (CN), and all the MCC numbers of those countries or service providers adopting the same self-developed encryption algorithms as those adopted by the homeland are stored in this MCC number list. When a User Equipment (UE) is calling or being called, the UE sends an International Mobile Subscriber Identifier (IMSI) information of the current subscriber to the CN, and the CN parses the information and extracts the MCC number after receiving the IMSI information. The CN compares the extracted MCC number of the current subscriber with elements of the MCC number list one by one, if the MCC number of the current subscriber is identical with a certain MCC number in the MCC number list, the CN selects the domestic self-developed encryption algorithm; if the MCC number of the current subscriber is not identical with any MCC number in the MCC number list, the CN selects an available standard encryption algorithm for the security communication. The CN sends the UEA of the selected encryption algorithm to an access network; then the access network sends the UEA of the selected encryption algorithm to the UE. The present method not only allows the coexistence of standard encryption algorithms and self-developed encryption algorithm, but also simplifies the process of encryption algorithm selection. Accordingly, the subscriber interest and service quality is guaranteed.

FIELD OF THE TECHNOLOGY

The present invention relates to the selection of encryption algorithmused in security communication in 3rd Generation (3G) system, and moreparticularly to a method for determining encryption algorithm used insecurity communication by Core Network (CN) based on Mobile Country Code(MCC).

BACKGROUND OF THE INVENTION

At present, in all kinds of communication systems and particularly inmobile communication systems, the implementation of securitycommunication is of great importance for guaranteeing security ofinformation transmitted between subscribers. Therefore, it is necessaryto protect the data being transmitted with encryption. Generally,encrypting the data for protection means an encryption algorithm isadopted by both the communication sides. The transmit side encrypts thedata to be transmitted with a selected encryption algorithm and thentransmits the encrypted data, which is decrypted with the selectedalgorithm after being received by the receive side.

In 3G mobile communication systems, the encryption function of airinterface is usually implemented between a User Equipment (UE) and UMTSterrestrial Radio Access Network (RAN). According to the regulation ofthe prior protocol, each encryption algorithm corresponds to one singleUser Encryption Algorithm (UEA). An encryption algorithm is determinedthrough comparing the algorithms supported by UE and the availablealgorithms designated by CN and through comparing the UEAs in the accessnetwork. As shown in FIG. 1, the specific implementing process of theair interface encryption protection in the prior mobile communicationsystem is as follows:

1) UE sends UE security capability to the access network.

After the successful connection between UE and the access network, theUE sends its encryption algorithm capability parameters to the accessnetwork by way of a message A, notifying the access network theencryption algorithms supported by the UE. On receiving the message A,the access network stores the encryption algorithm information supportedby the UE.

2) CN initiates establishment of security mode.

When initiating establishment of security mode, the CN determines theavailable encryption algorithms according to the presetting and sends tothe access network a message B carrying the encryption algorithminformation supported by the network.

3) The access network determines the encryption algorithm used insecurity communication.

After receiving the message B, the access network determines anencryption algorithm supported by both the UE and the access network forthe security communication according to the received UEAs supported bythe CN and the pre-stored UEAs supported by the UE. Then the accessnetwork sends to UE a message C carrying the determined UEA, notifyingCN the finally determined encryption algorithm.

4) UE sets local security algorithm.

After receiving the message C, firstly the UE sets the encryptionalgorithm designated in the received message C as the local terminalsecurity encryption algorithm; then the UE sends to the access network amessage D indicating the successful setting of security mode.

5) The access network notifies CN of the successful security modesetting.

After receiving the message D, the access network sends to CN a messageE which carries the selected encryption algorithm parameters andindicates the successful setting of security mode.

6) CN completes the security mode setting procedure.

After receiving the message D indicating the successful setting ofsecurity mode, the CN completes the self-setting of security modeprocedure and then waits until the predetermined time is due. When thepredetermined time is due, the UE and the access network begins securitycommunication in which the encryption algorithm corresponding to theselected UEA is employed to encrypt or decrypt data.

During the above-mentioned procedure, the encryption algorithms used forencryption and decryption at air interface are placed in the terminaland access network respectively. Those encryption algorithms supportedby CN must be supported by the access network. Generally speaking,encryption algorithm isn't unique. Many different kinds of encryptionalgorithms can be defined and each one corresponds to a single UEA.Service providers can support selection of different encryptionalgorithms. However, because air interface encryption is equallyimplemented in both access network and terminal, access networks andterminal equipments of different service providers must haveintercommunication in consideration of the intercommunication amongdifferent access networks and terminal equipments. So, all the priorencryption algorithms are required to be standard encryption algorithmsregulated by the protocol.

If the regulation comprises more than one standard encryption algorithm,in order to support global roam, the system must include all thestandard encryption algorithms. Accordingly, all the standard encryptionalgorithms will be supported by CN. If it is found after comparison thatthe terminal and access network have more than one identical standardencryption algorithm available, because the method for selectingencryption algorithms and the priority about selection is not defined inthe regulation, the access network can select any one of the standardencryption algorithms available for security communication, if only theterminal and access network adopt the same algorithm. If no identicalencryption algorithm is available in the terminals and the accessnetworks but encryption is required in CN, normal security communicationcannot be provided to the terminal.

Due to the particularity of password application and in consideration ofthe information safeness and security of one's country or network,different countries or service providers prefer to use their individualencryption algorithms respectively in order to prevent uncertain losswhich results from the ease of decrypting the password. Thus, twoproblems appear when the user is roaming:

1) In respect of the terminal and the access network, if one sidesupports a self-developed encryption algorithm which isn't supported bythe other side, the two communication sides fail to select an encryptionalgorithm supported by both sides, which results in the failure ofnormal security communication.

2) For some countries or service providers who have to adoptself-developed encryption algorithms for air interface securitycommunication, the prior mobile communication system reserves some UEAsto go with the self-developed encryption algorithms. However, sincethere is no unified prescription concerning use of the reserved UEAs,every country or service provider can choose any one of the reservedUEAs. So, the problem of encryption algorithm conflict may occur duringthe roam of mobile subscribers. For example, two different countriesadopt different self-developed encryption algorithms, but these twocountries choose the same UEA for their encryption algorithms. In termsof the prior setting procedure of security mode, when a subscriber ofone country roams to another country and the encryption algorithms areconsulted, a normal connection will be established between both partsbecause of their equal UEA value, but normal communication cannot berealized because of different encryption algorithms.

Accordingly, a solving scheme has been provided in another patentapplication, which is as follows: a CI is added, and judgment for CI andjudgment for encryption algorithms supported by the current subscriberand the network is also added. If a subscriber is a foreign subscriberand both the UE and network support the standard encryption algorithm,or if the subscriber is a domestic subscriber and both the UE andnetwork support a self-developed encryption algorithm other than thestandard encryption algorithm, normal security communication can beimplemented; otherwise, security communication is unavailable. However,since a step of defining bits and a judge step are added, the wholemessage structure, message delivery procedure, parameter setting andcontrol flow need to be added or changed accordingly. Thus the presentprocessing flow is partly affected and the implementation isinconvenient.

SUMMARY OF THE INVENTION

Therefore, a main object of the present invention is to provide a methodfor determining encryption algorithm used in security communicationbased on MCC, which enables the subscriber to perform securitycommunication utilizing effective encryption algorithm anywhere. Thismethod not only allows the coexistence of standard encryption algorithmsand self-developed encryption algorithm, but also simplifies the processof encryption algorithm selection. Accordingly, the subscriber interestand service quality is guaranteed.

To achieve the above-mentioned object, the specific technical scheme ofthis invention is as follows.

A method for determining encryption algorithm used in securitycommunication based on MCC, comprising:

setting a MCC number list in a CN, and storing all the MCC numbers ofthose countries or service providers adopting the same self-developedencryption algorithms as those adopted by the homeland in this MCCnumber list;

when a UE is calling or being called, the UE sending an InternationalMobile Subscriber Identifier (IMSI) information of the currentsubscriber to the CN, the CN parsing the IMSI information and extractingthe MCC number after receiving the IMSI information;

if the MCC number list in the CN is null, which means the currentsubscriber supports all of the available standard encryption algorithms,the CN directly selecting an available standard encryption algorithm forthe security communication; otherwise, the CN comparing the extractedMCC number of the current subscriber with elements of the MCC numberlist one by one, if the MCC number of the current subscriber isidentical with a certain MCC number in the MCC number list, the CNselecting the domestic self-developed encryption algorithm for thesecurity communication; if the MCC number of the current subscriber isnot identical with any MCC number in the MCC list, the CN selecting anavailable standard encryption algorithm for the security communication;

the CN instructing the UE and an access network to start securitycommunication with the selected encryption algorithm.

Wherein said CN instructing the UE and the access network to startsecurity communication with the selected encryption algorithm comprise:after selecting the encryption algorithm, the CN sending the UEA of theselected encryption algorithm to an access network; then the accessnetwork setting its own security mode and sending the UEA of theselected encryption algorithm to the UE, the UE setting its own securitymode after receiving the UEA; the UE and the access network startingsecurity communication with the selected encryption algorithm.

The method further comprises: the CN storing the extracted MCC number ina register after extracting the MCC number of the current subscriber.

From the technical scheme described above, it can be seen that the keypoint of this invention lies in: setting a MCC number list in CN anddirectly determining the encryption algorithm for security communicationin CN according to MCC number.

Accordingly, this method for determining encryption algorithm used insecurity communication based on MCC has the following advantages andcharacteristics:

1) The method according to the present invention just needs to empowerthe CN to determine the final selection of encryption algorithms. Noneed to change any of the prior security execution flow. And the wholeprocessing procedure will not be affected. Furthermore, the procedure ofselecting the encryption algorithm is simplified.

2) The process of extracting MCC number from the IMSI information isadded in the present invention. Since the IMSI used for extracting MCCnumber of the current subscriber is provided by the existing messages inthe processing flow, there is no need to add any bit or message. Theprocess is easy and convenient to realize.

3) In the method according to the present invention, since a MCC numberlist is preset in the CN and all the MCC numbers of those countries orservice providers adopting the same self-developed encryption algorithmsas the domestic are stored in the MCC number list, when the subscriberis roaming, the CN can determine an encryption algorithm by comparingthe MCC number of the current subscriber and elements of thepre-reserved MCC number list. In this way, possible conflict isprevented when the subscriber roams; meanwhile intercommunication amongthe friendly service providers, who have specific requirements and adoptthe same self-developed encryption algorithm, is guaranteed.

4) The method according to the present invention changes the originalsettled manner of encryption algorithm selection to a manner bycomparing and choosing MCC number. Meanwhile the selection course isperformed by CN other than the access network. This method is easy andflexible to implement, and applies to various kinds of mobilecommunication networks with pretty generalization.

5) The pre-reserved MCC number list in the present invention includesall the friendly countries or service providers adopting the sameself-developed encryption algorithm as the domestic. Thus, when all thecountries or service providers adopt standard encryption algorithms, theMCC number list can be set at null. Accordingly no matter whether thesubscriber is local or roaming, the CN can determine correspondingencryption algorithm by directly comparing MCC number of the currentsubscriber with elements of the pre-reserved MCC number list. So thepresent invention not only effectively solves the conflict between theself-developed encryption algorithm requirement and the standardencryption algorithm selection when the subscriber is roaming, but alsocompletely answers for the service providers'requirement of adoptingonly standard encryption algorithms.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a signaling flow chart of determining an encryption algorithmin prior art.

FIG. 2 is a flow chart illustrating the method for determining anencryption algorithm according to the present invention.

DETAILED DESCRIPTION OF THE INVENTION

Now, the present invention will be described in detail with reference tothe accompanying drawings.

The precondition to realize the method according to the presentinvention is that if more than one encryption algorithm is defined inthe regulation, in order to support international roam in every countryof the world, the system is required to support all the standardencryption algorithms, which is the demand that all the prior 3G mobilecommunication systems must satisfy.

As to the systems of the countries or service providers requiringspecial encryption algorithms, the CN must support at least one set ofself-developed nonstandard encryption algorithm besides all of thestandard encryption algorithms mentioned above. Furthermore, for thesystem subscribers who have to adopt special nonstandard encryptionalgorithm, the serving terminal and access network must possess all ofthe standard encryption algorithms and this special nonstandardencryption algorithm simultaneously.

Based on the above-mentioned precondition, a scheme for selectingeffective encryption algorithm in the CN is provided in the presentinvention. With reference to FIG. 2, this scheme for selectingencryption algorithm at least comprises the following steps:

1) Firstly, a MCC number list is preset in the CN, and all the MCCnumbers of those countries or service providers adopting the sameself-developed encryption algorithms as those adopted by the homelandare pre-stored in this MCC number list.

2) When a certain subscriber is calling or is being called, thesubscriber sends his own IMSI information to the CN. After receiving theIMSI information, the CN parses the information and extracts the MCCnumber therefrom, i.e., extracts the MCC number from the IMSIinformation. The extracted MCC number can be stored in a registertemporarily.

3) The CN compares the extracted MCC number of the current subscriberwith elements of the MCC number list one by one. If the MCC number ofthe current subscriber is identical with a certain MCC number in the MCCnumber list pre-stored in CN, the CN regards this subscriber as adomestic subscriber or a specially permitted subscriber, and selects theself-developed encryption algorithm for the security communication.

4) If the MCC number of the current subscriber is not identical with anyMCC number in the MCC number list pre-stored in CN or if the MCC numberlist is null, the CN regards this subscriber as a foreign subscriber ora roaming subscriber, and selects an available standard encryptionalgorithm for the security communication.

5) After the encryption algorithm is determined, the CN sends the UEA ofthe selected encryption algorithm to the access network through arelevant security control message.

6) After receiving the relevant security control message, the accessnetwork sets its own security mode and simultaneously sends the UEA ofthe selected encryption algorithm to UE through a relevant securitycontrol message. The UE sets its own security mode according to thismessage and the two sides start security communication with the selectedencryption algorithm.

The above-mentioned steps mainly relate to the selection of encryptionalgorithm used in security communication. Other implementationprocedures about security mode are completely similar to those in theprior art.

According to the method described above, if the MCC number extractedfrom IMSI information is included in MCC number list, it means thissubscriber adopts the domestic nonstandard encryption algorithm; if theMCC number extracted from IMSI information is not included in MCC numberlist, it means this subscriber supports all of the standard encryptionalgorithms; if the MCC number list is null, it also means thissubscriber supports all of the standard encryption algorithms. In otherwords, when a domestic subscriber is applying the service inland, thespecial encryption algorithm will be selected for security communicationaccording to selection of MCC number; if a domestic subscriber isapplying the service in a country or in a service provider's systemadopting the same nonstandard encryption algorithm as the domestic, thisspecial encryption algorithm will be selected for security communicationaccording to selection of MCC number; if a domestic subscriber isroaming in a country or a service provider's system only supporting thestandard encryption algorithms, a certain standard encryption algorithmwill be selected for security communication according to selection ofMCC number. Similarly, if a subscriber only supporting standardencryption algorithms roams in a country or a service provider's systemsupporting nonstandard encryption algorithms, a certain standardencryption algorithm will be selected for security communicationaccording to selection of MCC number also; if a subscriber supporting acertain nonstandard encryption algorithm roams in a country or a serviceprovider's system supporting the same nonstandard encryption algorithm,this special encryption algorithm will be selected for securitycommunication according to selection of MCC number.

The method described above not only effectively solves the conflictbetween requirement for self-developed encryption algorithm andselection of standard encryption algorithm when a subscriber is roaming,but also guarantees security communication among domestic and foreignsubscribers by selecting different encryption algorithm according todifferent zones.

1. A method for determining encryption algorithm used in securedcommunication based on Mobile Country Code (MCC), comprising: setting aMCC number list in a Core Network (CN), and storing all MCC numbers ofthose countries or service providers adopting the same self-developedencryption algorithms as those adopted by the homeland in this MCCnumber list; when a User Equipment (UE) is calling or being called, theUE sending an International Mobile Subscriber Identifier (IMSI)information of the current subscriber to the CN, the CN parsing the IMSIinformation and extracting the MCC number after receiving the IMSIinformation; if the MCC number list in the CN is null, the CN directlyselecting an available standard encryption algorithm for the securedcommunication; otherwise the CN comparing the extracted MCC number ofthe current subscriber with elements of the MCC number list one by one,and if the MCC number of the current subscriber is identical with acertain MCC number in the MCC number list, the CN selecting the domesticself-developed encryption algorithm for the secured communication,otherwise the CN selecting an available standard encryption algorithmfor the secured communication; and the CN instructing the UE and anaccess network to start secured communication with the selectedencryption algorithm.
 2. The method of claim 1, wherein said CNinstructing the UE and the access network to start secured communicationwith the selected encryption algorithm comprises: after selecting theencryption algorithm, the CN sending the User Encryption Algorithm (UEA)of the selected encryption algorithm to the access network; then theaccess network setting its own secured mode and sending the UEA of theselected encryption algorithm to the UE, the UE setting its own securitymode after receiving the UEA; the UE and the access network startingsecured communication with the selected encryption algorithm.
 3. Themethod of claim 1, further comprising: the CN storing the extracted MCCnumber in a register after extracting the MCC number of the currentsubscriber.
 4. The method of claim 1, the current subscriber supportsall of the available standard encryption algorithms if the MCC numberlist is null.
 5. A method for selecting an encryption algorithm used insecure communication based on Mobile Country Code (MCC), comprising:selecting a MCC number list in a Core Network (CN), and storing in theselected MCC number list all MCC numbers of those countries or serviceproviders adopting a self-developed encryption algorithm adopted by ahomeland; when a User Equipment (UE) initiates or receives a call, theUE sending International Mobile Subscriber Identifier (IMSI) informationof a current subscriber to the CN, the CN parsing the IMSI informationand extracting the MCC number from the IMSI information; if the MCCnumber list in the CN is null, the CN directly selecting an availablestandard encryption algorithm for the secure communication; otherwise,the CN comparing the extracted MCC number of the current subscriber withthe MCC numbers stored in the MCC number list, and if the MCC number ofthe current subscriber is identical with a matching MCC number in theMCC number list, the CN selecting the domestic self-developed encryptionalgorithm for the secure communication; otherwise, the CN selecting anavailable standard encryption algorithm for the secure communication. 6.The method of claim 5, further comprising: the CN sending the UserEncryption Algorithm (UEA) of the selected encryption algorithm to anaccess network; the access network setting its own security mode andsending the UEA of the selected encryption algorithm to the UE; and theUE setting its own security mode after receiving the UEA.
 7. The methodof claim 5, further comprising: the CN storing the extracted MCC numberin a register after extracting the MCC number of the current subscriber.8. The method of claim 1, wherein the current subscriber supports all ofthe available standard encryption algorithms if the MCC number list isnull.
 9. A method for selecting an encryption algorithm used in securecommunication based on Mobile Country Code (MCC), comprising: selectinga MCC number list in a Core Network (CN), and storing in the selectedMCC number list all MCC numbers of those countries or service providersadopting a self-developed encryption algorithm adopted by the homeland;when a User Equipment (UE) initiates or receives a call, the UE sendingInternational Mobile Subscriber Identifier (IMSI) information of acurrent subscriber to the CN, the CN parsing the IMSI information andextracting the MCC number from the IMSI information; if the MCC numberlist in the CN is null, the CN directly selecting an available standardencryption algorithm for the secure communication; otherwise, the CNcomparing the extracted MCC number of the current subscriber form theIMSI information with the MCC numbers stored in the MCC number list, andif the MCC number of the current subscriber is identical with a matchingMCC number in the MCC number list, the CN selecting the domesticself-developed encryption algorithm for the secure communication;otherwise, the CN selecting an available standard encryption algorithmfor the secure communication, the selected encryption algorithm beingused by the UE for secure communication.
 10. The method of claim 9,further comprising: the CN sending the User Encryption Algorithm (UEA)of the selected encryption algorithm to an access network; the accessnetwork setting its own security mode and sending the UEA of theselected encryption algorithm to the UE; and the UE setting its ownsecurity mode after receiving the UEA.
 11. The method of claim 9,further comprising the CN storing the extracted MCC number in a registerafter extracting the MCC number of the current subscriber.
 12. Themethod of claim 9, wherein the current subscriber supports all of theavailable standard encryption algorithms if the MCC number list is null.